This blog is a personal book on Security/ IDM related thoughts/opinions.
The blog posts are a personal opinion only and neither reflect the views of current/past employers nor any OTHER person living/dead on this planet.

WS-Trust is an extremely important specification in the WS world. WS-Federation being the natural extension of trust semantics is an important necessity.

I do hope that all these federated Identity and trust related specifications can converge, in the near future. It is encouraging to see Kim Cameron preaching the concept of an "Identity MetaSystem" that will try to provide an unified view irrespective of the underlying protocols/mechanisms.

Friday, October 26, 2007

Stefan and I have been discussing the usage of java.util.UUID to generate a sso identifier similar to that done by tomcat's AuthenticatorBase. Since we wanted to avoid overlap with the random id generated by AuthBase, I suggested the usage of UUID.

So we decided to explore the level1 or time based UUID.

After sometime, Stefan gave up figuring out the way to instantiate level 1 UUID.

Monday, October 15, 2007

I am getting some requests to produce code to handle Instance Based Security for Non Application Server related code aka Business Code. The projects that are directly affected are JBoss Rules or Drools, jBPM, JBoss Portal and JBoss Seam.

The idea is to be able to CRUD level access for data driven applications.

In the past, OSAccess from Open Symphony has tried to address this space. Acegi Security for Spring has some support for Instance Based ACL.

Wednesday, October 10, 2007

If you need SSO between web applications deployed to the same HOST, then you can use the Apache Tomcat SingleSignOnValve. If you need to do SSO across a JBoss Cluster, then you will need the ClusteredSingleSignOnValve. Take a look at the following clustered single sign on white paper here.

Tuesday, October 9, 2007

I mentioned in my earlier blog post that APWG recently conducted a eCrime summit in Pittsburgh. So eCrime is a menace that affects all facets of our democratic societies.

Have a look at Dr.Philip Hallam-Baker's presentation from Google Tech Talks, January 2006. I know Dr.Hallam-Baker from various working groups at W3C and other standards groups. He is a Principal Scientist/Evangelist at Verisign.

Crime: The Real Internet Security Problem

Dr Hallam-Baker is a leading designer or Internet security protocols and has ... all » made substantial contributions to the HTTP Digest Authentication mechanism, XKMS, SAML and WS-Security. He is currently working on the DKIM email signing protocol, federated identity systems and completing his first book, The dotCrime Manifesto which sets out a comprehensive strategy for defeating Internet crime.

Dr Hallam-Baker has a degree in Electronic Engineering from Southampton University and a doctorate in Computer Science from the Nuclear Physics Laboratory at Oxford University.

ABSTRACT Internet Crime is a serious and growing problem. Phishing, Advance Fee and Consumer fraud continue to grow at alarming rates. Internet crime is a business that makes huge profits for some. But despite the fact that security has regularly polled as almost every type of Internet user's top priority over the past ten years, almost none of the security mechanisms developed in response are effectively controlling Internet crime.

In computing, phishing is an attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. eBay, PayPal and online banks are common targets. Phishing is typically carried out by email or instant messaging

Some of the blame for the widespread proliferation of online scams and phishing rests with the victims. They fall prey easily and do not pay attention to security indicators in their user agents (aka browsers).

It is nice to know that organizations such as CABForum are actively working on making browsing secure, via the new concept of Extended Validation Certificates.CAB Forum - http://www.cabforum.org/

This is how it looks in Opera, as shown by Yngve Pettersen, Opera Security Czar.EV in Opera

Recently, on the personal insistence of Yngve, I downloaded Opera. I was quite impressed by the security indicators displayed for sites with SSL enabled. It even read my Firefox bookmarks.